1. Field of the Invention
The present invention relates generally to an improved data processing system and in particular to a method and apparatus for processing data. Still more particularly, the present invention relates to a computer implemented method, apparatus, and program code for detecting malicious software.
2. Description of the Related Art
Malware is software designed to infiltrate a data processing system without the consent of a user or owner of the data processing system. Malware may include, for example, a virus, a worm, a Trojan horse, spyware, unauthorized adware, and other malicious and unwanted software. A virus is a computer program that can copy itself and infect a data processing system without permission or knowledge of a user. A computer virus may seek a host, such as a program or document, to infect a data processing system and replicate itself each time the document or program is opened.
Another example of malware is a worm, which is a program that actively transmits itself over a network to infect other computers. A Trojan horse is any program that invites a user to run the program and conceals harmful and malicious code. This hidden code may take effect immediately or may take effect after some period of time. Malware may do no damage to a system but may simply replicate themselves. This type of malware also may make their presence known by presenting text, video, or audio messages. Other types of malware, however, may result in erratic behavior, loss of files, or system crashes.
In response to these and other types of malware, various malware detection applications have been developed to detect and/or remove malware. In these examples, an application may be one or more programs or other software components. Software components may include both executable and non-executable files. Once malware has been detected, the malware can be removed and/or prevented from executing on a data processing system.
Protection against malware may come in different forms. Some malware detection applications may execute individually in computers while other malware applications may execute on devices, such as routers or firewalls to prevent entry of malware into a network. A malware detection application may provide intrusion prevention to protect against attacks from malware.
These applications may use signature detection to identify malware, such as viruses. A virus signature is a characteristic byte pattern that is part of a particular virus or family of viruses. This pattern signature may be used to identify viruses. Further, these applications may include behavioral analysis to identify against unknown malware. With viruses that have not yet been detected, the behavior of software components may be analyzed to determine whether they may be malware.
These malware detection applications also may use other methods to identify unknown or new viruses. This type of identification may be performed by identifying suspicious behavior from a software component, which might indicate the presence of malware. This type of analysis may emulate the operating system and run the executable file or component in a simulation. After the software component has terminated execution, an analysis is made for changes that may indicate the presence of malware. These and other approaches may be used to identify potential malware.